The new security features of Android Nougat are significant, so much so that is the most radical remodelling of Android security over a single version, we took a brief look at the verified boot feature two months ago and consider the benefits of Nougat for Android app security testing.
Android 7.x adds to some existing security feature from Android M (v6.x) as well as new elements, in particular for the enterprise context, one of Google’s target markets. This shows Google’s intention to lead Android app security, something shown in the institution of the Android app security updates and admitting the security issues from fragmentation of the OS.
The boot time for Android devices has been slow with two stages of authentication, on Android 7.x there access to functions such as the phone and alarm clock. This relies on a separation of the storage into ‘device protected’ storage and ‘credential protected’ storage. This allows apps that make use of core functions to do so without entering the pin.
Android 7.x requires support for ARM’s Trustzone hardware for secure storage of encryption keys. This file-based encryption is a big leap from the full-disk encryption of older versions. One problem is that this hardware isn’t supported on older devices and will also require devices to rest their data and apps to install it.
No more Stagefright?
Google has tried to neutralise the problems of the remote execution vulnerabilities that stemmed from libStagefrightthat execute malicious code in media content. This part of Android has been rewritten with sandboxing, modularisation and overflow section, to make it harder for hackers to use.
Android app security testing
Apps are now a lot more restricted, this will stop the chaining together of privilege escalation, capturing device identifiers, limited folder access, and the hijacking of the lock screen by ransomware will be obstructed.
Users of Nexus and Pixel phones will get a free integrated VPN from WiFi Assistant that will direct traffic from open WiFi hotspots through Google’s servers. Its good to see the rise of VPN technology as a standard feature, something also available from Opera browser.
Android for Work
Companies that use Android for Work will get the benefit of new security features, including an ‘always-on’ VPN, a work mode that deactivates work apps outside of office hours, and different PINS and passcode to protect work and personal data.
Android 7.x is an impressive leap forward for Google, however, there’s is now a distinct lag between the adoption of new security measures and features due to the overall fragmentation of the Android app security ecosystem. With Android Marshmallow only on some 15% of phones it remains to be seen when all devices and users will get up to speed with the new Android app security model.
Codified Security is here to help make your mobile app secure whether it’s for iOS app security testing, Android app security testing, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.